The AI shield for the EU enterprise.
Five pillars — Scansione, Catena di custodia, Uso conforme, Dati controllati, Operatori verificati — keeping every Claresia AI agent inside policy, EU AI Act, and Garante boundaries. Italian-first. Cryptographically verifiable. On by default.
AI risk is real, immediate, and asymmetric. A single autonomous skill that emails the wrong recipient, triggers a workflow against the wrong tenant, or leaks a codice fiscale into a third-party model can unwind months of trust — and trigger Garante or NIS2 reporting obligations within hours.
Claresia SCUDO is our answer. Five pillars, cryptographically anchored, EU AI Act + Garante explicit, on by default for every tenant. It maps one-to-one with Glean's AWARE framework so head-to-head security reviews are honest. It extends AWARE with a fifth EU-specific pillar — Uso conforme — that auto-stamps Article 50 disclosures and regenerates the Annex IV technical-doc pack every night.
Scudo is the Italian word for shield. It drops cleanly into a CISO slide. It doesn't oversell. It is the explicit aggregation of governance contracts the platform already enforces.
Every pillar declares: what it is, the control it provides, the implementation in Claresia today, how it maps to EU regulation, and what the customer sees on Trust Center.
AWARE — Autonomous guardrails + Restricted topics
Every write-class action passes through a per-tenant restricted-topics policy + alignment model before any token leaves Claresia infrastructure.
Per-tenant restricted_topics.json (Italian defaults: codice fiscale exposure, biometric inference, fully-automated employment decisions per Garante 2024) + a Haiku-grade alignment model that re-reads the planned tool call against the tenant rubric and flags concerns. severity≥block ⇒ rejected.
No write-class action ever fires without a fresh policy + alignment check bound to the tenant rubric.
Trust Center › Governance › Restricted-topics editor (per-tenant) + Audit log entries showing pre-scan verdict per skill invocation.
AWARE — Ecosystem observability
Every privileged action emits a SHA-256 hash-chained governance event. Tamper-evident, customer-verifiable, 7-year retention by default.
Each event carries the SHA-256 of the previous event for the same (tenant_id, stream), forming a Merkle-style append-only ledger. Anchors into cc-050 Hub. cc-064 Telemetry forwards records to the customer per-tenant SIEM destination.
Complete, tamper-evident, cryptographically-verifiable history of every AI action with deterministic offline replay.
Trust Center › Audit › Downloadable signed audit log (JSON) + per-tenant SIEM streaming destination + standalone verify-chain CLI.
(no direct AWARE pillar — SCUDO EU-specific differentiator)
Every output meeting Article 50 / Article 22 / Annex III triggers is auto-stamped with locale-aware disclosure. Annex IV technical-doc pack regenerates nightly per tenant.
Outputs facing natural persons or matching Annex III categories carry an Article 50 transparency stamp in the user locale (it/en at minimum). Article 22 outputs are reserved-to-human. Annex IV pack auto-built from deployed skill IRs and exported per tenant.
Customer cannot ship a non-compliant AI output by accident. Disclosure is automatic; technical documentation is always export-ready.
Trust Center › EU AI Act conformance pack (per-tenant Annex IV PDF + SHA-256 checksum) + every AI surface stamps disclosures in EN/IT.
AWARE — Work context + Glean Protect data-loss controls
Every LLM call from every Claresia function routes through cc-073 LLM Gateway: model allowlist, EU region pinning, bidirectional PII redaction, per-tenant workspace, hard cost cap.
Single egress path. Default region eu-south-1 (Milano). Per-tenant Anthropic / OpenAI workspace via admin APIs. Microsoft Presidio + custom NER bidirectional redaction. Hard quota. Full audit log streamed to customer SIEM. Optional BYOC mode (gateway in customer VPC, customer-held keys).
Customer data flows out of Claresia perimeter only through one auditable choke point with explicit allowlisted destinations.
Trust Center › Sub-processors page (auto-populated from gateway log) + per-tenant Egress dashboard (model usage by region + redaction-rate counters).
AWARE — Actor intent
Every action is bound to a verified human (WorkOS / SCIM) + an immutable skill IR hash + a declared intent. No anonymous actions, no unapproved skill versions.
WorkOS / SSO / SCIM-provisioned identity, MFA via customer IdP. Each skill carries an immutable ir_hash; only Roster-approved IR hashes can dispatch. For autonomous schedules, the human owner of the schedule is captured + the tenant policy permitting unattended execution.
No action is anonymous; no action runs against an unapproved skill version; every parameter preserved for forensics.
Admin console › Roster (approved-skills view) + Audit log filterable by employee + Telemetry-suppression toggle (cohort-only mode for Statuto compliance).
SCUDO is not a layer bolted on top — it is the governance contract surface every layer of the platform already enforces. Below: the six layers and the SCUDO pillars that gate each transition.
Layer 6 End-user surfaces (Teams · Slack · Adaptive Cards · Browser ext) ↓ all output stamped under [U] Uso conforme Layer 5 Distribution adapters (cc-063 Claude · cc-065 Copilot · cc-070 ChatGPT) ↓ dispatches gated by [O] Operatori verificati Layer 4 Hub UX + Roster (cc-060 Hub UX · cc-061 Roster Engine) ↓ Roster enforces approved IR hashes Layer 3 Function execution (Sailford · Forge · Boss · Ledger · Gatespic · Takecare · Steve · Clawshield · Zottos) ↓ every LLM call → [D] Dati controllati Gateway ↓ every write-class action → [S] Scansione Layer 2 cc-050 Intelligence Hub (provenance · tenants · rosters) ↓ holds the [C] Catena di custodia Layer 1 Tenant infra (Postgres EU · WorkOS · storage · SIEM destination)
Skill IRs labelled risk_class: high are default-denied until the tenant admin explicitly approves them into Roster.
High-risk activation requires admin approval in cc-059 and a checked-in Article 14 human-oversight policy file.
Restricted-topics, locale, region all default to Italy + EU. eu-south-1 Milano. Italian DPA. EN/IT stamps.
Glean's AWARE is a serious framework. SCUDO maps one-for-one to make head-to-head reviews easy. Where Glean is honestly ahead today (broader connectors, named SOAR partner), we say so. Where SCUDO pulls ahead — explicit EU AI Act stamping, Garante-cited defaults, cryptographically-verifiable chain — we name it cleanly.
Sources: glean.com/blog/agentic-security-aware, glean.com/security.
The full pillar-by-pillar regulatory map lives in compliance-mapping-italy.md. Highlights below.
Restricted-topics ships citation-by-citation references. New Garante notices land in tenant policies within 14 days of publication.
cc-064 telemetry per-employee logging is indirect monitoring under Italian law. SCUDO ships:
ISO 27001 Q3 2026 · ISO 42001 Q4 2026 — explicit clause map shipped today.
Every Claresia tenant gets all five pillars enabled out of the box. Tenants can configure restricted topics, allowed LLM models, egress regions, and SIEM destinations from the cc-059 admin console.
The TypeScript scaffold backing every pillar lives in cc-aware-governance/lib/governance/:
restricted-topics.ts — policy enginealignment-prescan.ts — Haiku-grade alignment checkllm-gateway.ts — single egress + redaction + metereu-ai-act-disclosure.ts — Article 50 stampaudit-chain.ts — SHA-256 chain + verifiertests/governance.test.ts — 22 contract tests, all greenThe pack includes: SCUDO framework spec (PDF), Italian compliance mapping, vs-Glean battlecard, sample audit chain export with the verify-chain CLI, sample Annex IV technical-doc pack, and the latest Italian DPA template.